Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/update sprinkler workflow #8597

Closed
wants to merge 4 commits into from
Closed

Feature/update sprinkler workflow #8597

wants to merge 4 commits into from

Conversation

sukeshreddyg
Copy link
Contributor

A reference to the issue / Description of it

{Please write here}

How does this PR fix the problem?

{Please write here}

How has this been tested?

Please describe the tests that you ran and provide instructions to reproduce.

{Please write here}

Deployment Plan / Instructions

Will this deployment impact the platform and / or services on it?

{Please write here}

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T08:34:20Z INFO [vulndb] Need to update DB
2024-11-26T08:34:20Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T08:34:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:34:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:34:22Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T08:34:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T08:34:22Z INFO [misconfig] Need to update the built-in checks
2024-11-26T08:34:22Z INFO [misconfig] Downloading the built-in checks...
2024-11-26T08:34:23Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 673.651µs, allowed: 44000/minute"
2024-11-26T08:34:23Z INFO [secret] Secret scanning is enabled
2024-11-26T08:34:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:34:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:34:24Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T08:34:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T08:34:24Z INFO Number of language-specific files num=0
2024-11-26T08:34:24Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running Checkov in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 08:34:27,249 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,299 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'statement.5.resources.0': '${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:34:27,352 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,370 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': {'0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'}, 'statement.1.resources.0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'statement.3.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,388 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,482 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,514 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'statement.5.resources.0': '${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:34:27,532 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,550 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': {'0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'}, 'statement.1.resources.0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': ['${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}'], 'statement.3.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/data-engineering-state-access"}', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:34:27,567 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
terraform scan results:

Passed checks: 121, Failed checks: 0, Skipped checks: 55


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running tflint in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T08:34:20Z	INFO	[vulndb] Need to update DB
2024-11-26T08:34:20Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T08:34:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:34:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:34:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T08:34:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T08:34:22Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T08:34:22Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-26T08:34:23Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 673.651µs, allowed: 44000/minute"
2024-11-26T08:34:23Z	INFO	[secret] Secret scanning is enabled
2024-11-26T08:34:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:34:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:34:24Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T08:34:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T08:34:24Z	INFO	Number of language-specific files	num=0
2024-11-26T08:34:24Z	INFO	Detected config files	num=2
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T08:55:24Z INFO [vulndb] Need to update DB
2024-11-26T08:55:24Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T08:55:24Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:55:27Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:55:27Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T08:55:27Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T08:55:27Z INFO [misconfig] Need to update the built-in checks
2024-11-26T08:55:27Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-26T08:55:27Z INFO [secret] Secret scanning is enabled
2024-11-26T08:55:27Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:55:27Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:55:28Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T08:55:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T08:55:28Z INFO Number of language-specific files num=0
2024-11-26T08:55:28Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in terraform/environments/sprinkler
2024-11-26T08:55:28Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T08:55:28Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T08:55:28Z INFO [secret] Secret scanning is enabled
2024-11-26T08:55:28Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:55:28Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:55:29Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T08:55:29Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-26T08:55:30Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2024-11-26T08:55:30Z INFO Number of language-specific files num=0
2024-11-26T08:55:30Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running Checkov in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 08:55:32,743 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:32,791 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'statement.5.resources.0': '${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:55:32,843 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:32,861 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:32,896 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': {'0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'}, 'statement.1.resources.0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'}, 'statement.3.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:32,973 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:33,004 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': ['${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}'], 'statement.5.resources.0': '${"arn:aws:kms:*:${local.environment_management.account_ids["core-shared-services-production"]}:key/*"}', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:55:33,022 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:33,163 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:33,182 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': {'0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User'}, 'statement.1.resources.0': 'arn:aws:airflow:eu-west-1:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/*/User', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'}, 'statement.3.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
terraform scan results:

Passed checks: 121, Failed checks: 0, Skipped checks: 55


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/sprinkler
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 08:55:35,390 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=84a83751b5289f363a728eb181470b59fc5e2899:None (for external modules, the --download-external-modules flag is required)
2024-11-26 08:55:35,591 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:35,610 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:55:35,649 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:35,667 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 08:55:35,701 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 08:55:35,719 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
terraform scan results:

Passed checks: 16, Failed checks: 0, Skipped checks: 2


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running tflint in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/sprinkler
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T08:55:24Z	INFO	[vulndb] Need to update DB
2024-11-26T08:55:24Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T08:55:24Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:55:27Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T08:55:27Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T08:55:27Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T08:55:27Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T08:55:27Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-26T08:55:27Z	INFO	[secret] Secret scanning is enabled
2024-11-26T08:55:27Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:55:27Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:55:28Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T08:55:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T08:55:28Z	INFO	Number of language-specific files	num=0
2024-11-26T08:55:28Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/sprinkler
2024-11-26T08:55:28Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T08:55:28Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T08:55:28Z	INFO	[secret] Secret scanning is enabled
2024-11-26T08:55:28Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T08:55:28Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T08:55:29Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T08:55:29Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-26T08:55:30Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2024-11-26T08:55:30Z	INFO	Number of language-specific files	num=0
2024-11-26T08:55:30Z	INFO	Detected config files	num=1
trivy_exitcode=0

@sukeshreddyg sukeshreddyg force-pushed the feature/update-sprinkler-workflow branch from 29562cb to 764176d Compare November 26, 2024 11:53
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T11:56:00Z INFO [vulndb] Need to update DB
2024-11-26T11:56:00Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T11:56:00Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T11:56:03Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T11:56:03Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T11:56:03Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T11:56:03Z INFO [misconfig] Need to update the built-in checks
2024-11-26T11:56:03Z INFO [misconfig] Downloading the built-in checks...
2024-11-26T11:56:03Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 121.355µs, allowed: 44000/minute"
2024-11-26T11:56:03Z INFO [secret] Secret scanning is enabled
2024-11-26T11:56:03Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T11:56:03Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T11:56:04Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T11:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T11:56:04Z INFO Number of language-specific files num=0
2024-11-26T11:56:04Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in terraform/environments/sprinkler
2024-11-26T11:56:04Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T11:56:04Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T11:56:04Z INFO [misconfig] Need to update the built-in checks
2024-11-26T11:56:04Z INFO [misconfig] Downloading the built-in checks...
2024-11-26T11:56:04Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 914.961µs, allowed: 44000/minute\n\n"
2024-11-26T11:56:04Z INFO [secret] Secret scanning is enabled
2024-11-26T11:56:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T11:56:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T11:56:05Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T11:56:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-26T11:56:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2024-11-26T11:56:06Z INFO Number of language-specific files num=0
2024-11-26T11:56:06Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running Checkov in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 11:56:09,415 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,463 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,499 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': {'0': 'arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'}, 'statement.5.resources.0': 'arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 11:56:09,534 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,586 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'statement.1.resources.0': '${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'}, 'statement.3.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,647 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/member-shared-services"}', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,677 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access'}, 'statement.2.resources.0': '${"arn:aws:iam::${local.environment_management.account_ids["core-shared-services-production"]}:role/ad-fixngo-ec2-access"}', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,806 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition.2 and value {'values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}} forvertex attributes {'__end_line__': 1053, '__start_line__': 907, 'statement': [{'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'], 'sid': 'coreSharedServicesCreateGrantAllow'}], 'statement.0': {'actions': ['*'], 'condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'effect': 'Deny', 'resources': ['*'], 'sid': 'ABACEc2Deny'}, 'statement.0.actions': ['*'], 'statement.0.actions.0': '*', 'statement.0.condition': [{'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}], 'statement.0.condition.0': {'test': 'ForAnyValue:StringNotLike', 'values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'variable': 'aws:PrincipalTag/github_team'}, 'statement.0.condition.0.test': 'ForAnyValue:StringNotLike', 'statement.0.condition.0.values': ['$${aws:ResourceTag/Owner}:*', '*:$${aws:ResourceTag/Owner}', '*:$${aws:ResourceTag/Owner}:*'], 'statement.0.condition.0.values.0': '$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.values.1': '*:$${aws:ResourceTag/Owner}', 'statement.0.condition.0.values.2': '*:$${aws:ResourceTag/Owner}:*', 'statement.0.condition.0.variable': 'aws:PrincipalTag/github_team', 'statement.0.condition.1': {'test': 'Null', 'values': ['False'], 'variable': 'aws:ResourceTag/Owner'}, 'statement.0.condition.1.test': 'Null', 'statement.0.condition.1.values': ['False'], 'statement.0.condition.1.values.0': 'False', 'statement.0.condition.1.variable': 'aws:ResourceTag/Owner', 'statement.0.condition.2': {'test': 'StringEquals', 'values': ['jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.2.test': 'StringEquals', 'statement.0.condition.2.values': {'0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)'}, 'statement.0.condition.2.values.0': 'jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)', 'statement.0.condition.2.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'ABACEc2Deny', 'statement.1': {'actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'databaseAllowNull'}, 'statement.1.actions': ['application-autoscaling:ListTagsForResource', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'autoscaling:SetDesiredCapacity', 'autoscaling:StartInstanceRefresh', 'autoscaling:UpdateAutoScalingGroup', 'aws-marketplace:ViewSubscriptions', 'ds:*Snapshot*', 'ds:*Tags*', 'ds:ResetUserPassword', 'ec2:CopyImage', 'ec2:CopySnapshot', 'ec2:CreateImage', 'ec2:CreateSnapshot', 'ec2:CreateSnapshots', 'ec2:CreateTags', 'ec2:DescribeInstanceTypes', 'ec2:DescribeInstances', 'ec2:DescribeVolumes', 'ec2:ModifyImageAttribute', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySnapshotAttribute', 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', 'ecs:DescribeServices', 'ecs:ListServices', 'ecs:UpdateService', 'identitystore:DescribeUser', 'kms:Decrypt*', 'kms:DescribeKey', 'kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*', 'rds:CopyDBClusterSnapshot', 'rds:CopyDBSnapshot', 'rds:CreateDBClusterSnapshot', 'rds:CreateDBSnapshot', 'rds:RebootDB*', 'rhelkb:GetRhelURL', 's3:Get*', 's3:List*', 's3:PutObject', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:ListSecret*', 'ssm-guiconnect:*', 'ssm:*', 'sso:ListDirectoryAssociations', 'support:*'], 'statement.1.actions.0': 'application-autoscaling:ListTagsForResource', 'statement.1.actions.1': 'athena:StartQueryExecution', 'statement.1.actions.2': 'athena:StopQueryExecution', 'statement.1.actions.3': 'autoscaling:SetDesiredCapacity', 'statement.1.actions.4': 'autoscaling:StartInstanceRefresh', 'statement.1.actions.5': 'autoscaling:UpdateAutoScalingGroup', 'statement.1.actions.6': 'aws-marketplace:ViewSubscriptions', 'statement.1.actions.7': 'ds:*Snapshot*', 'statement.1.actions.8': 'ds:*Tags*', 'statement.1.actions.9': 'ds:ResetUserPassword', 'statement.1.actions.10': 'ec2:CopyImage', 'statement.1.actions.11': 'ec2:CopySnapshot', 'statement.1.actions.12': 'ec2:CreateImage', 'statement.1.actions.13': 'ec2:CreateSnapshot', 'statement.1.actions.14': 'ec2:CreateSnapshots', 'statement.1.actions.15': 'ec2:CreateTags', 'statement.1.actions.16': 'ec2:DescribeInstanceTypes', 'statement.1.actions.17': 'ec2:DescribeInstances', 'statement.1.actions.18': 'ec2:DescribeVolumes', 'statement.1.actions.19': 'ec2:ModifyImageAttribute', 'statement.1.actions.20': 'ec2:ModifyInstanceAttribute', 'statement.1.actions.21': 'ec2:ModifySnapshotAttribute', 'statement.1.actions.22': 'ec2:RebootInstances', 'statement.1.actions.23': 'ec2:StartInstances', 'statement.1.actions.24': 'ec2:StopInstances', 'statement.1.actions.25': 'ecs:DescribeServices', 'statement.1.actions.26': 'ecs:ListServices', 'statement.1.actions.27': 'ecs:UpdateService', 'statement.1.actions.28': 'identitystore:DescribeUser', 'statement.1.actions.29': 'kms:Decrypt*', 'statement.1.actions.30': 'kms:DescribeKey', 'statement.1.actions.31': 'kms:Encrypt', 'statement.1.actions.32': 'kms:GenerateDataKey*', 'statement.1.actions.33': 'kms:ReEncrypt*', 'statement.1.actions.34': 'rds:CopyDBClusterSnapshot', 'statement.1.actions.35': 'rds:CopyDBSnapshot', 'statement.1.actions.36': 'rds:CreateDBClusterSnapshot', 'statement.1.actions.37': 'rds:CreateDBSnapshot', 'statement.1.actions.38': 'rds:RebootDB*', 'statement.1.actions.39': 'rhelkb:GetRhelURL', 'statement.1.actions.40': 's3:Get*', 'statement.1.actions.41': 's3:List*', 'statement.1.actions.42': 's3:PutObject', 'statement.1.actions.43': 'secretsmanager:DescribeSecret', 'statement.1.actions.44': 'secretsmanager:GetSecretValue', 'statement.1.actions.45': 'secretsmanager:ListSecret*', 'statement.1.actions.46': 'ssm-guiconnect:*', 'statement.1.actions.47': 'ssm:*', 'statement.1.actions.48': 'sso:ListDirectoryAssociations', 'statement.1.actions.49': 'support:*', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'databaseAllowNull', 'statement.2': {'actions': ['secretsmanager:PutSecretValue'], 'condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'effect': 'Allow', 'resources': ['*'], 'sid': 'SecretsManagerPut'}, 'statement.2.actions': ['secretsmanager:PutSecretValue'], 'statement.2.actions.0': 'secretsmanager:PutSecretValue', 'statement.2.condition': {'test': 'StringEquals', 'values': ['full'], 'variable': 'secretsmanager:ResourceTag/instance-management-policy'}, 'statement.2.condition.test': 'StringEquals', 'statement.2.condition.values': ['full'], 'statement.2.condition.values.0': 'full', 'statement.2.condition.variable': 'secretsmanager:ResourceTag/instance-management-policy', 'statement.2.effect': 'Allow', 'statement.2.resources': ['*'], 'statement.2.resources.0': '*', 'statement.2.sid': 'SecretsManagerPut', 'statement.3': {'actions': ['sns:Publish'], 'effect': 'Allow', 'resources': ['arn:aws:sns:*:*:Automation*'], 'sid': 'snsAllow'}, 'statement.3.actions': ['sns:Publish'], 'statement.3.actions.0': 'sns:Publish', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:sns:*:*:Automation*'], 'statement.3.resources.0': 'arn:aws:sns:*:*:Automation*', 'statement.3.sid': 'snsAllow', 'statement.4': {'actions': ['lambda:InvokeFunction'], 'effect': 'Allow', 'resources': ['arn:aws:lambda:*:*:function:Automation*'], 'sid': 'lambdaAllow'}, 'statement.4.actions': ['lambda:InvokeFunction'], 'statement.4.actions.0': 'lambda:InvokeFunction', 'statement.4.effect': 'Allow', 'statement.4.resources': ['arn:aws:lambda:*:*:function:Automation*'], 'statement.4.resources.0': 'arn:aws:lambda:*:*:function:Automation*', 'statement.4.sid': 'lambdaAllow', 'statement.5': {'actions': ['kms:CreateGrant'], 'condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'effect': 'Allow', 'resources': ['arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'], 'sid': 'coreSharedServicesCreateGrantAllow'}, 'statement.5.actions': ['kms:CreateGrant'], 'statement.5.actions.0': 'kms:CreateGrant', 'statement.5.condition': {'test': 'Bool', 'values': [True], 'variable': 'kms:GrantIsForAWSResource'}, 'statement.5.condition.test': 'Bool', 'statement.5.condition.values': [True], 'statement.5.condition.values.0': True, 'statement.5.condition.variable': 'kms:GrantIsForAWSResource', 'statement.5.effect': 'Allow', 'statement.5.resources': {'0': 'arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*'}, 'statement.5.resources.0': 'arn:aws:kms:*:${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:key/*', 'statement.5.sid': 'coreSharedServicesCreateGrantAllow'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 11:56:09,824 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access'} forvertex attributes {'__end_line__': 92, '__start_line__': 12, 'statement': [{'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}], 'statement.0': {'actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'effect': 'Deny', 'resources': ['*'], 'sid': 'denyPermissions'}, 'statement.0.actions': ['ec2:CreateSubnet', 'ec2:CreateVpc', 'ec2:CreateVpcPeeringConnection', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:AddUserToGroup', 'iam:AttachGroupPolicy', 'iam:AttachUserPolicy', 'iam:CreateAccountAlias', 'iam:CreateGroup', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:CreateVirtualMFADevice', 'iam:DeactivateMFADevice', 'iam:DeleteAccountAlias', 'iam:DeleteAccountPasswordPolicy', 'iam:DeleteGroup', 'iam:DeleteGroupPolicy', 'iam:DeleteLoginProfile', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteUser', 'iam:DeleteUserPermissionsBoundary', 'iam:DeleteUserPolicy', 'iam:DeleteVirtualMFADevice', 'iam:DetachGroupPolicy', 'iam:DetachUserPolicy', 'iam:EnableMFADevice', 'iam:RemoveClientIDFromOpenIDConnectProvider', 'iam:RemoveUserFromGroup', 'iam:ResyncMFADevice', 'iam:UpdateAccountPasswordPolicy', 'iam:UpdateGroup', 'iam:UpdateLoginProfile', 'iam:UpdateOpenIDConnectProviderThumbprint', 'iam:UpdateSAMLProvider', 'iam:UpdateUser'], 'statement.0.actions.0': 'ec2:CreateSubnet', 'statement.0.actions.1': 'ec2:CreateVpc', 'statement.0.actions.2': 'ec2:CreateVpcPeeringConnection', 'statement.0.actions.3': 'iam:AddClientIDToOpenIDConnectProvider', 'statement.0.actions.4': 'iam:AddUserToGroup', 'statement.0.actions.5': 'iam:AttachGroupPolicy', 'statement.0.actions.6': 'iam:AttachUserPolicy', 'statement.0.actions.7': 'iam:CreateAccountAlias', 'statement.0.actions.8': 'iam:CreateGroup', 'statement.0.actions.9': 'iam:CreateLoginProfile', 'statement.0.actions.10': 'iam:CreateOpenIDConnectProvider', 'statement.0.actions.11': 'iam:CreateSAMLProvider', 'statement.0.actions.12': 'iam:CreateUser', 'statement.0.actions.13': 'iam:CreateVirtualMFADevice', 'statement.0.actions.14': 'iam:DeactivateMFADevice', 'statement.0.actions.15': 'iam:DeleteAccountAlias', 'statement.0.actions.16': 'iam:DeleteAccountPasswordPolicy', 'statement.0.actions.17': 'iam:DeleteGroup', 'statement.0.actions.18': 'iam:DeleteGroupPolicy', 'statement.0.actions.19': 'iam:DeleteLoginProfile', 'statement.0.actions.20': 'iam:DeleteOpenIDConnectProvider', 'statement.0.actions.21': 'iam:DeleteSAMLProvider', 'statement.0.actions.22': 'iam:DeleteUser', 'statement.0.actions.23': 'iam:DeleteUserPermissionsBoundary', 'statement.0.actions.24': 'iam:DeleteUserPolicy', 'statement.0.actions.25': 'iam:DeleteVirtualMFADevice', 'statement.0.actions.26': 'iam:DetachGroupPolicy', 'statement.0.actions.27': 'iam:DetachUserPolicy', 'statement.0.actions.28': 'iam:EnableMFADevice', 'statement.0.actions.29': 'iam:RemoveClientIDFromOpenIDConnectProvider', 'statement.0.actions.30': 'iam:RemoveUserFromGroup', 'statement.0.actions.31': 'iam:ResyncMFADevice', 'statement.0.actions.32': 'iam:UpdateAccountPasswordPolicy', 'statement.0.actions.33': 'iam:UpdateGroup', 'statement.0.actions.34': 'iam:UpdateLoginProfile', 'statement.0.actions.35': 'iam:UpdateOpenIDConnectProviderThumbprint', 'statement.0.actions.36': 'iam:UpdateSAMLProvider', 'statement.0.actions.37': 'iam:UpdateUser', 'statement.0.effect': 'Deny', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'denyPermissions', 'statement.1': {'actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'effect': 'Deny', 'resources': ['arn:aws:iam::*:user/cicd-member-user'], 'sid': 'denyOnCicdMemberUser'}, 'statement.1.actions': ['iam:AttachRolePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:UpdateAssumeRolePolicy', 'iam:UpdateRole', 'iam:UpdateRoleDescription'], 'statement.1.actions.0': 'iam:AttachRolePolicy', 'statement.1.actions.1': 'iam:DeleteRole', 'statement.1.actions.2': 'iam:DeleteRolePermissionsBoundary', 'statement.1.actions.3': 'iam:DeleteRolePolicy', 'statement.1.actions.4': 'iam:DetachRolePolicy', 'statement.1.actions.5': 'iam:PutRolePermissionsBoundary', 'statement.1.actions.6': 'iam:PutRolePolicy', 'statement.1.actions.7': 'iam:UpdateAssumeRolePolicy', 'statement.1.actions.8': 'iam:UpdateRole', 'statement.1.actions.9': 'iam:UpdateRoleDescription', 'statement.1.effect': 'Deny', 'statement.1.resources': ['arn:aws:iam::*:user/cicd-member-user'], 'statement.1.resources.0': 'arn:aws:iam::*:user/cicd-member-user', 'statement.1.sid': 'denyOnCicdMemberUser', 'statement.2': {'actions': ['sts:AssumeRole'], 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'arn:aws:iam::*:role/member-delegation-read-only', 'arn:aws:iam::*:role/read-log-records'], 'sid': 'assumeRolesInSharedAccounts'}, 'statement.2.actions': ['sts:AssumeRole'], 'statement.2.actions.0': 'sts:AssumeRole', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/ad-fixngo-ec2-access', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/member-shared-services', 'statement.2.resources.2': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-limited-read-member-access', 'statement.2.resources.3': 'arn:aws:iam::${data.aws_caller_identity.modernisation-platform}:role/modernisation-account-terraform-state-member-access', 'statement.2.resources.4': 'arn:aws:iam::*:role/ModernisationPlatformSSOReadOnly', 'statement.2.resources.5': 'arn:aws:iam::*:role/member-delegation-read-only', 'statement.2.resources.6': 'arn:aws:iam::*:role/read-log-records', 'statement.2.sid': 'assumeRolesInSharedAccounts'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:09,843 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.2.resources and value {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science'} forvertex attributes {'__end_line__': 461, '__start_line__': 373, 'statement': [{'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'sid': 'AirflowUIAccess'}, {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}], 'statement.0': {'actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'DataEngineeringAllow'}, 'statement.0.actions': ['airflow:GetEnvironment', 'airflow:ListEnvironments', 'airflow:ListTagsForResource', 'athena:DeleteNamedQuery', 'athena:StartQueryExecution', 'athena:StopQueryExecution', 'ce:CreateReport', 'dms:ModifyReplicationTask', 'dms:StartReplicationTask', 'dms:StopReplicationTask', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable', 'dynamodb:GetItem', 'dynamodb:PutItem', 'glue:*DefinedFunction', 'glue:*Job', 'glue:*JobRun', 'glue:*Trigger', 'glue:Batch*Partition', 'glue:BatchDeleteTable', 'glue:BatchGetJobs', 'glue:CreateDatabase', 'glue:CreatePartition', 'glue:CreateSession', 'glue:CreateTable', 'glue:DeleteDatabase', 'glue:DeletePartition', 'glue:DeleteTable', 'glue:Get*', 'glue:List*', 'glue:RunStatement', 'glue:TagResource', 'glue:UntagResource', 'glue:UpdateDatabase', 'glue:UpdatePartition', 'glue:UpdateTable', 'lakeformation:BatchGrantPermissions', 'lakeformation:BatchRevokePermissions', 'lakeformation:CreateLakeFormationOptIn', 'lakeformation:DeleteLakeFormationOptIn', 'lakeformation:GetDataAccess', 'lakeformation:GetDataLakeSettings', 'lakeformation:GrantPermissions', 'lakeformation:ListLakeFormationOptIns', 'lakeformation:PutDataLakeSettings', 'lakeformation:RevokePermissions', 'lambda:PutRuntimeManagementConfig', 's3:GetBucketOwnershipControls', 's3:PutBucketNotificationConfiguration', 's3:PutObjectAcl', 'states:Describe*', 'states:List*', 'states:RedriveExecution', 'states:Start*', 'states:Stop*'], 'statement.0.actions.0': 'airflow:GetEnvironment', 'statement.0.actions.1': 'airflow:ListEnvironments', 'statement.0.actions.2': 'airflow:ListTagsForResource', 'statement.0.actions.3': 'athena:DeleteNamedQuery', 'statement.0.actions.4': 'athena:StartQueryExecution', 'statement.0.actions.5': 'athena:StopQueryExecution', 'statement.0.actions.6': 'ce:CreateReport', 'statement.0.actions.7': 'dms:ModifyReplicationTask', 'statement.0.actions.8': 'dms:StartReplicationTask', 'statement.0.actions.9': 'dms:StopReplicationTask', 'statement.0.actions.10': 'dynamodb:DeleteItem', 'statement.0.actions.11': 'dynamodb:DescribeTable', 'statement.0.actions.12': 'dynamodb:GetItem', 'statement.0.actions.13': 'dynamodb:PutItem', 'statement.0.actions.14': 'glue:*DefinedFunction', 'statement.0.actions.15': 'glue:*Job', 'statement.0.actions.16': 'glue:*JobRun', 'statement.0.actions.17': 'glue:*Trigger', 'statement.0.actions.18': 'glue:Batch*Partition', 'statement.0.actions.19': 'glue:BatchDeleteTable', 'statement.0.actions.20': 'glue:BatchGetJobs', 'statement.0.actions.21': 'glue:CreateDatabase', 'statement.0.actions.22': 'glue:CreatePartition', 'statement.0.actions.23': 'glue:CreateSession', 'statement.0.actions.24': 'glue:CreateTable', 'statement.0.actions.25': 'glue:DeleteDatabase', 'statement.0.actions.26': 'glue:DeletePartition', 'statement.0.actions.27': 'glue:DeleteTable', 'statement.0.actions.28': 'glue:Get*', 'statement.0.actions.29': 'glue:List*', 'statement.0.actions.30': 'glue:RunStatement', 'statement.0.actions.31': 'glue:TagResource', 'statement.0.actions.32': 'glue:UntagResource', 'statement.0.actions.33': 'glue:UpdateDatabase', 'statement.0.actions.34': 'glue:UpdatePartition', 'statement.0.actions.35': 'glue:UpdateTable', 'statement.0.actions.36': 'lakeformation:BatchGrantPermissions', 'statement.0.actions.37': 'lakeformation:BatchRevokePermissions', 'statement.0.actions.38': 'lakeformation:CreateLakeFormationOptIn', 'statement.0.actions.39': 'lakeformation:DeleteLakeFormationOptIn', 'statement.0.actions.40': 'lakeformation:GetDataAccess', 'statement.0.actions.41': 'lakeformation:GetDataLakeSettings', 'statement.0.actions.42': 'lakeformation:GrantPermissions', 'statement.0.actions.43': 'lakeformation:ListLakeFormationOptIns', 'statement.0.actions.44': 'lakeformation:PutDataLakeSettings', 'statement.0.actions.45': 'lakeformation:RevokePermissions', 'statement.0.actions.46': 'lambda:PutRuntimeManagementConfig', 'statement.0.actions.47': 's3:GetBucketOwnershipControls', 'statement.0.actions.48': 's3:PutBucketNotificationConfiguration', 'statement.0.actions.49': 's3:PutObjectAcl', 'statement.0.actions.50': 'states:Describe*', 'statement.0.actions.51': 'states:List*', 'statement.0.actions.52': 'states:RedriveExecution', 'statement.0.actions.53': 'states:Start*', 'statement.0.actions.54': 'states:Stop*', 'statement.0.effect': 'Allow', 'statement.0.resources': ['*'], 'statement.0.resources.0': '*', 'statement.0.sid': 'DataEngineeringAllow', 'statement.1': {'actions': ['airflow:CreateWebLoginToken'], 'effect': 'Allow', 'resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'sid': 'AirflowUIAccess'}, 'statement.1.actions': ['airflow:CreateWebLoginToken'], 'statement.1.actions.0': 'airflow:CreateWebLoginToken', 'statement.1.effect': 'Allow', 'statement.1.resources': ['${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}'], 'statement.1.resources.0': '${"arn:aws:airflow:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:role/*/User"}', 'statement.1.sid': 'AirflowUIAccess', 'statement.2': {'actions': ['iam:PassRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'], 'sid': ''}, 'statement.2.actions': ['iam:PassRole'], 'statement.2.actions.0': 'iam:PassRole', 'statement.2.effect': 'Allow', 'statement.2.resources': {'1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf'}, 'statement.2.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-first-data-science', 'statement.2.resources.1': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/glue-notebook-role-tf', 'statement.2.sid': '', 'statement.3': {'actions': ['sts:AssumeRole'], 'effect': 'Allow', 'resources': ['arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'], 'sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}, 'statement.3.actions': ['sts:AssumeRole'], 'statement.3.actions.0': 'sts:AssumeRole', 'statement.3.effect': 'Allow', 'statement.3.resources': {'0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access'}, 'statement.3.resources.0': 'arn:aws:iam::${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}:role/data-engineering-state-access', 'statement.3.sid': 'AllowAssumeAnalyticalPlatformDataEngineeringStateAccessRole'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
terraform scan results:

Passed checks: 121, Failed checks: 0, Skipped checks: 55


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/sprinkler
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 11:56:12,616 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=84a83751b5289f363a728eb181470b59fc5e2899:None (for external modules, the --download-external-modules flag is required)
2024-11-26 11:56:12,824 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:12,842 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 11:56:12,882 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:12,899 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
2024-11-26 11:56:12,933 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.resources and value {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': ['${local.environment_management.account_ids[terraform.workspace]}'], 'statement.0.condition.values.0': '${local.environment_management.account_ids[terraform.workspace]}', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token resources (ID)
2024-11-26 11:56:12,951 [MainThread  ] [WARNI]  Failed updating attribute for key: statement.0.condition and value {'values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}} forvertex attributes {'__end_line__': 63, '__start_line__': 12, 'statement': [{'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}], 'statement.0': {'actions': ['sts:AssumeRole'], 'condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'effect': 'Allow', 'resources': ['format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'], 'sid': 'AllowOIDCToAssumeRoles'}, 'statement.0.actions': ['sts:AssumeRole'], 'statement.0.actions.0': 'sts:AssumeRole', 'statement.0.condition': {'test': 'StringEquals', 'values': ['${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'], 'variable': 'aws:PrincipalAccount'}, 'statement.0.condition.test': 'StringEquals', 'statement.0.condition.values': {'0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]'}, 'statement.0.condition.values.0': '${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)}["terraform.workspace"]', 'statement.0.condition.variable': 'aws:PrincipalAccount', 'statement.0.effect': 'Allow', 'statement.0.resources': {'0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})'}, 'statement.0.resources.0': 'format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.resources.1': 'format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access",${jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)})', 'statement.0.sid': 'AllowOIDCToAssumeRoles', 'statement.1': {'actions': ['kms:Decrypt'], 'effect': 'Allow', 'resources': ['*'], 'sid': 'AllowOIDCToDecryptKMS'}, 'statement.1.actions': ['kms:Decrypt'], 'statement.1.actions.0': 'kms:Decrypt', 'statement.1.effect': 'Allow', 'statement.1.resources': ['*'], 'statement.1.resources.0': '*', 'statement.1.sid': 'AllowOIDCToDecryptKMS', 'statement.2': {'actions': ['s3:Get*', 's3:List*'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'sid': 'AllowOIDCReadState'}, 'statement.2.actions': ['s3:Get*', 's3:List*'], 'statement.2.actions.0': 's3:Get*', 'statement.2.actions.1': 's3:List*', 'statement.2.effect': 'Allow', 'statement.2.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/', 'arn:aws:s3:::modernisation-platform-terraform-state/*'], 'statement.2.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/', 'statement.2.resources.1': 'arn:aws:s3:::modernisation-platform-terraform-state/*', 'statement.2.sid': 'AllowOIDCReadState', 'statement.3': {'actions': ['s3:PutObject', 's3:PutObjectAcl'], 'effect': 'Allow', 'resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'sid': 'AllowOIDCWriteState'}, 'statement.3.actions': ['s3:PutObject', 's3:PutObjectAcl'], 'statement.3.actions.0': 's3:PutObject', 'statement.3.actions.1': 's3:PutObjectAcl', 'statement.3.effect': 'Allow', 'statement.3.resources': ['arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*'], 'statement.3.resources.0': 'arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*', 'statement.3.sid': 'AllowOIDCWriteState', 'statement.4': {'actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'effect': 'Deny', 'resources': ['*']}, 'statement.4.actions': ['iam:ChangePassword', 'iam:CreateLoginProfile', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice'], 'statement.4.actions.0': 'iam:ChangePassword', 'statement.4.actions.1': 'iam:CreateLoginProfile', 'statement.4.actions.2': 'iam:DeleteUser', 'statement.4.actions.3': 'iam:DeleteVirtualMFADevice', 'statement.4.effect': 'Deny', 'statement.4.resources': ['*'], 'statement.4.resources.0': '*'}. Falling back to explicitly setting it.Exception - Parse error at 1:14 near token condition (ID)
terraform scan results:

Passed checks: 16, Failed checks: 0, Skipped checks: 2


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running tflint in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/sprinkler
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on
terraform/environments/sprinkler

*****************************

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T11:56:00Z	INFO	[vulndb] Need to update DB
2024-11-26T11:56:00Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T11:56:00Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T11:56:03Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T11:56:03Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T11:56:03Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T11:56:03Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T11:56:03Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-26T11:56:03Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 121.355µs, allowed: 44000/minute"
2024-11-26T11:56:03Z	INFO	[secret] Secret scanning is enabled
2024-11-26T11:56:03Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T11:56:03Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T11:56:04Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T11:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T11:56:04Z	INFO	Number of language-specific files	num=0
2024-11-26T11:56:04Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/sprinkler
2024-11-26T11:56:04Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T11:56:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T11:56:04Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T11:56:04Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-26T11:56:04Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 914.961µs, allowed: 44000/minute\n\n"
2024-11-26T11:56:04Z	INFO	[secret] Secret scanning is enabled
2024-11-26T11:56:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T11:56:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T11:56:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T11:56:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-26T11:56:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2024-11-26T11:56:06Z	INFO	Number of language-specific files	num=0
2024-11-26T11:56:06Z	INFO	Detected config files	num=1
trivy_exitcode=0

@sukeshreddyg sukeshreddyg force-pushed the feature/update-sprinkler-workflow branch from 764176d to 4345ffb Compare November 26, 2024 12:28
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T13:47:56Z INFO [vulndb] Need to update DB
2024-11-26T13:47:56Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T13:47:56Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:47:58Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:47:58Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T13:47:58Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T13:47:58Z INFO [misconfig] Need to update the built-in checks
2024-11-26T13:47:58Z INFO [misconfig] Downloading the built-in checks...
2024-11-26T13:47:58Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 369.906µs, allowed: 44000/minute"
2024-11-26T13:47:58Z INFO [secret] Secret scanning is enabled
2024-11-26T13:47:58Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:47:58Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:47:59Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T13:47:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T13:47:59Z INFO Number of language-specific files num=0
2024-11-26T13:47:59Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running Checkov in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 122, Failed checks: 0, Skipped checks: 55


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running tflint in terraform/environments/bootstrap/single-sign-on
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/single-sign-on

*****************************

Running Trivy in terraform/environments/bootstrap/single-sign-on
2024-11-26T13:47:56Z	INFO	[vulndb] Need to update DB
2024-11-26T13:47:56Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T13:47:56Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:47:58Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:47:58Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T13:47:58Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T13:47:58Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T13:47:58Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-26T13:47:58Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 369.906µs, allowed: 44000/minute"
2024-11-26T13:47:58Z	INFO	[secret] Secret scanning is enabled
2024-11-26T13:47:58Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:47:58Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:47:59Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.administator" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.data_engineer" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.developer" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.fleet_manager" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-access" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.instance-management" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.migration" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.mwaa_user" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.powerbi_user" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.quicksight_admin" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.read_only" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.reporting-operations" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.sandbox" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.security_audit" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_ssoadmin_account_assignment.view_only" value="cty.NilVal"
2024-11-26T13:47:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.member" value="cty.NilVal"
2024-11-26T13:47:59Z	INFO	Number of language-specific files	num=0
2024-11-26T13:47:59Z	INFO	Detected config files	num=2
trivy_exitcode=0

@sukeshreddyg sukeshreddyg force-pushed the feature/update-sprinkler-workflow branch from cabd6cd to 541ab25 Compare November 26, 2024 13:53
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:

@sukeshreddyg sukeshreddyg deleted the feature/update-sprinkler-workflow branch November 27, 2024 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
github-workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sukeshreddyg